Operational Technology (OT) refers to the hardware and software systems that control and monitor physical devices and processes in industries such as energy, manufacturing, transportation, and utilities. OT systems are often used in critical infrastructure and are increasingly connected to the internet, making them potential targets for hackers.
In recent years, there has been a sharp increase in cyber attacks targeting OT systems. In our recent 2023 Threat Report, we mapped out 57 cybersecurity incidents that had physical consequences out of 218 reported attacks. These events highlight the vulnerabilities of OT systems, the potential consequences of “successful” attacks, and most importantly, the fact that they are dramatically increasing each year.
OT hackers, also known as industrial control system (ICS) or SCADA (Supervisory Control and Data Acquisition) cyber attackers, typically aim to gain unauthorized access to OT networks and disrupt or manipulate critical processes. Their motivations may vary, including financial gain, espionage, activism, or sabotage.
Here are some general activities OT hackers are busy with these days:
Finding vulnerabilities and exploiting them:
OT hackers typically search for vulnerabilities in ICS and SCADA systems, such as outdated software, weak passwords, or insecure network configurations, as well as using open-source research to find exploits for these vulnerabilities in order to gain unauthorized access.
Here’s an example of Hunting for ICS vulnerabilities by Cody Bernadry:
Malware payloads for OT hardware:
In the past, ICS hackers would require large teams to create the malware payloads that they intended to install once they hacked into the system. Most OT systems are fairly obscure when compared against common technology such as computers and smartphones, so finding hackers that are familiar with each OT system was the biggest obstacle. With the recent advent of AI that can write code, hackers can explain what they need in simple English, and then have the required code generated for them, ready for the attack.
Additionally, AI generated malware is much harder to catch, as it is considered clean when scanned by an IDS or malware detectors, since it is the first time that code is being used anywhere.
Here’s a clip from Cyber News that highlights some examples of using ChatGPT to generate malware, or simply recreating existing malware but with fresh code that can’t be detected as easily:
Social Engineering:
Sometimes, hackers don’t use any software to bypass all the safeguards, rather, they use the weakness of human nature to gain access.
Who would win:
- The most robust firewall and IDS ever created?
or… - A sweet mom with a crying baby in the background who just needs some help getting back into the system?Have a look:
This crying-baby social engineering hack shown in the video above is largely focused on getting IT credentials and info. The scope of this article is on OT hackers, so it is important to point out that most attacks on OT are initiated via the IT. So, it is totally expected that social engineering techniques focused on penetrating OT defenses would have a kill-chain that runs through the IT department.
Social Engineering Bus Hack:
As machinery and systems become more hardware and less software, does that negate the possibility of it being hacked? This hacker points out how he used knowledge combined with a unique hole puncher and thrown-out stacks of bus transfer tickets to “hack the system” and get free bus rides. Take a look:
Supply Chain Cyber Attacks:
Instead of engaging a target directly, hackers sometimes try to target an OT network indirectly by focusing on their supply chain of 3rd party vendors. All it takes is just one of many vendors to miss something to end up providing a “backdoor” to the entire OT network. By compromising the supply chain via 3rd parties, hackers can gain access to the targeted systems indirectly, in ways that are way more cumbersome to audit and prevent.
Here we have some examples of supply chain attacks, including an explanation of Target’s Customer Data Breach which was the result of hackers exploiting the air conditioning ICS because they had only used the free version of the malware software, and not the paid version. Once the HVAC system was hacked, the hackers used that access to install skimming software on each cash register’s credit card reader and recorded the credit card details of all customer transactions.
Have a look:
Ransomware:
OT ransomware attacks are where hackers encrypt critical systems, and then demand a ransom (payment) for the decryption key which is needed to unlock everything. The kind of attacks have increasingly targeted OT systems because the “critical” aspects of their purpose are seen as applying pressure for the ransom to be paid.
The BBC did a short piece about a Norwegian company that suffered a costly ransomware attack. Have a look:
It’s important to note that the field of cybersecurity is dynamic, and new attack techniques and methods continuously emerge over time. Organizations that rely on OT systems should keep updated on the latest security best practices.
In conclusion, the activities of OT hackers pose a significant threat to operational technology systems in vital industries. The increasing number of cyber attacks targeting these systems emphasizes the vulnerabilities they face and the potential consequences of successful attacks. OT hackers often employ many other tactics than the ones mentioned above and are able to gain unauthorized access and disrupt critical processes. By understanding the tactics and activities of OT hackers, organizations can better posture their cyber defenses in order to protect their critical infrastructure and ensure the reliability and security of their operations in an increasingly interconnected world.